Dynamic address assignment for access control on DHCP networks

ABSTRACT

Systems and methods of managing security on a computer network are disclosed. The computer network includes a restricted subnet and a less-restricted subnet. Access to the restricted subnet is controlled by a network filter, optionally inserted as a software shim on a DHCP server. In some embodiments, the network filter is configured to manipulate relay IP addresses to control whether the DHCP server provides, in a DHCPOFFER packet, an IP address that can be used to access the restricted subset. In some embodiments, configuration information is communicated between the DHCP server and the network filter via DHCPOFFER packets.

Networks commonly use the Dynamic Host Configuration Protocol (DHCP) toassign and manage internet protocol (IP) addresses in networks.Typically, the DHCP service is provided by DHCP server software on acomputing device referred to as a DHCP server. When a new endpoint(e.g., PC or notebook computer) attaches to a network, the endpointbroadcasts a “DHCPDISCOVER” packet to initiate contact with a DHCPserver and obtain dynamic assignment of an IP address. The DHCPDISCOVERpacket includes the Media Access Control (MAC) address of the endpoint.

If there is no DHCP server to receive the broadcast on a local segmentto which the endpoint is attached, the DHCPDISCOVER packet may berelayed between networks by a DHCP relay, which may be present in arouter, network appliance, or other device on the local segment. If thisoccurs, the DHCP relay will add its own relay IP address to theDHCPDISCOVER packet so that DHCP servers will be able to send a reply tothe endpoint back through the DHCP relay.

When a DHCP server receives a DHCPDISCOVER packet, the DHCP serverresponds with a “DHCPOFFER” packet. The DHCPOFFER packet includes aproposed IP address and the DHCP server stores a record associating theproposed IP address with a MAC address of the endpoint. Several DHCPservers may receive a copy of the same DHCPDISCOVER packet and each DHCPserver my respond with a “DHCPOFFER” packet.

When an endpoint receives one or more DHCPOFFER packets it can acceptone of the received DHCPOFFERs by broadcasting a “DHCPREQUEST”containing the desired IP address. The DHCP server that sent thecorresponding DHCPOFFER packet will then respond with a “DHCPACK”packet, which assigns the associated IP address to the endpoint.

The IP address included in a DHCPOFFER packet is selected from one ormore address range(s) in a matching “scope.” A scope contains a range ofIP addresses and a set of criteria. The criteria are optionally comparedwith data (e.g., DHCP options) within a DHCPDISCOVER packet in order todetermine which scope(s) to select an IP address from for inclusion is aresulting DHCPOFFER packet. Thus, on set of DHCP options in aDHCPDISCOVER packet may result in selection of an IP address from afirst scope and a different set of DHCP options in a DHCPDISCOVER packetmay result in selection of an IP address from a second scope. The scopesare stored in an address allocation table in association with the DHCPserver. Some, none, or all of the IP addresses within a scope may beavailable depending on whether the addresses have been previouslyassigned to other endpoints.

Upon receiving the DHCPDISCOVER packet, the DHCP server must determinewhich scope to select an unused IP address from, based on one or morecriteria (e.g., DHCP options). The specific criteria available forselecting scopes varies depending on DHCP server implementations, butthe scopes are assigned based on the contents of the DHCPDISCOVERpacket. The criteria may include a Relay IP address or lack thereof.

A Relay IP address is inserted into DHCPDISCOVER and DHCPREQUEST packetsby a DHCP relay before relaying the packets. The Relay IP addressensures the DHCP server knows where to send the responses. DHCP relaysare used on segments where DHCP servers are not present. When aDHCPDISCOVER or DHCPREQUEST packet lacks a Relay IP address, thisindicates that the DHCP server received the packet from a local segment,without going through a DHCP relay. This implies that the DHCP servershould use the local scope associated with one of its network interfacecards.

Many models of routers and switches can be configured to selectivelyblock network packets originating from endpoints. The selective blockingof endpoint traffic, also known as filtering, is based on the contentsof the packet and its origination. The contents may include source anddestination IP address, protocol (e.g. IGMP, ICMP, TCP, UDP, . . . ),the port number (TCP or UDP port number), and other fields within thepacket. However, setup and management of these blocking features is alaborious non-dynamic task and may require undesirable changes ininfrastructure. There is, therefore, a need for improved methods ofselectively blocking network packets.

SUMMARY

The invention includes a secure network having at least a restrictedsubset and a less-restricted subset. Access to the restricted subset isavailable to endpoints that have satisfied an assessment (e.g., asecurity evaluation or audit). Access to the less-restricted subset isless restricted and may be available to devices that have not yetsatisfied an assessment. The less-restricted subset typically includesone or more devices configured for performing the assessment. Thus, anendpoint may initially access the less-restricted subset and, using theless-restricted subset, may undergo an assessment that allows access tothe restricted subset. The assessment may include a security audit, useridentification, or the like, as further described herein.

Endpoint access to the restricted subset and less-restricted subset arecontrolled using one or more access control lists of a router, switch,or other network device. The access control lists are configured suchthat endpoints having an IP address within a first range have access tothe less-restricted subset and not the restricted subset, and endpointshaving an IP address within a second range have access to the restrictedsubset. These first and second IP address ranges are optionally definedas separate subnets on the same network segment, as subnets spanningdifferent network segments, or combinations thereof. These subnets arereferred to herein as the restricted subnet and less-restricted subnetto respectively indicate their association with the restricted subsetand less-restricted subsets of the protected network. An endpoint may bemoved from a first subnet to a second subnet by changing the IP addressof the endpoint. Thus, access to the restricted subset may be controlledby assigning an appropriate IP address to the endpoint from therestricted subnet. Additional subnets, in addition to the first andsecond subnets, can be specified to define additional restricted subsetsand less-restricted subsets on the network.

In some embodiments, assignment of the restricted subnet to endpoints,and thereby access to the restricted subset, is controlled by settingthe proper combination of DHCP option parameters and values that may beincluded in a DHCPDISCOVER packet as received by a DHCP server. Theseparameters and values are set by a network filter associated with theDHCP server. In these embodiments, a DHCP server contains scopes thatspecify a range of IP addresses. The network filter inserts or modifiesthe option parameter responsive to whether or not the endpoint haspassed an assessment. As a result, the DHCP server selects theappropriate scope such that an endpoint that has not passed anassessment is assigned an IP address within the less-restricted subnet,while an endpoint that has passed the assessment is assigned an IPaddress from the restricted subnet. The network filter is optionallyinstalled on the computing device running the DHCP server, and iscapable of modifying received DHCP packets (e.g. DHCPDISCOVER andDHCPREQUEST) before they are otherwise processed by the DHCP server. Insome embodiments, the network filter is also configured to modifypackets sent by the DHCP server (e.g. DHCPOFFER and DHCPACK) before theyare transmitted to the network.

The network filter is software, hardware, or firmware logically disposedbetween that part of the DHCP server that processes DHCP packets and anexternal network, such that DHCP packets pass through the network filterwhen communicated between the part of the DHCP server that processesDHCP packets and the external network. The network filter may beincluded on the DHCP server or between the DHCP server and the externalnetwork. The use of a network filter associated with a DHCP serverresults in a scalable system and does not require any changes to thephysical network topology or addition of external servers. In someembodiments, the network filter includes a software shim. In someembodiments, the network filter includes a device placed between portsof the DHCP server and the network.

By changing the DHCP option in DHCPDISCOVER packets, the network filtercan control which address is assigned to the endpoint, and thereforewhat resources the endpoint can access when used in conjunction with theaccess control list created on the router. The router access controllist is configured such that IP addresses within the less-restrictedsubnet are only allowed access to elements of the less-restricted subsetand IP addresses within the restricted subnet are allowed access to theelements of the restricted subset.

In some embodiments, the assignment to the restricted subnet andless-restricted subnet is controlled by the network filter, throughmanipulations of the relay IP address in a DHCPDISCOVER packet. In theseembodiments, the network filter alters the relay IP address withinDHCPDISCOVER packet to control which subnet the DHCP server will assignto the endpoint. The network filter selects the relay IP address basedon whether the endpoint has been assessed to meet certain requirements.If the requirements have not been satisfied, the IP address of theDHCPDISCOVER packet is modified by the network filter so the DHCP serverassigns a less-restricted subnet address to the endpoint. If theassessment indicates the requirements have been satisfied, the networkfilter sets the relay IP address in DHCPDISCOVER packet such that theDHCP server assigns an IP address from the restricted subnet to theendpoint.

In order to assign an appropriate IP relay address (or DHCP option) thenetwork filter must have access to configuration information regardingwhich relay IP addresses will cause the DHCP server to assign anappropriate IP address. This may be accomplished by storing a copy ofthis information in a location accessible to the network filter.However, storing multiple copies of this information my increaseadministrative overhead. For example, if the DHCP server configurationis modified, then the update must be propagated to each local copy. Thismay particularly be a problem if the related configuration is managed byseparate programs. Storing related configurations from differentprograms increases the likelihood of configuration errors, makesconfiguration harder, and is difficult to keep synchronized. In someembodiments, to avoid the problems associated with managing the networkfilter and DHCP server configurations separately for restricted andless-restricted subnets, configuration information is stored in the DHCPserver configuration program or files, without storing the sameconfiguration information on the network filter. Thus, separatesubnet-specific configuration information need not be stored inassociation with the network filter. By using only standard DHCPconfiguration tools to store and manage configuration informationassociated with access criteria and network access configurationinformation (e.g., ACCESS CRITERIA), management complexity is greatlyreduced. ACCESS CRITERIA may include which relay IP addresses may beassigned to endpoints having passed an assessment, informationconfigured to manipulate DHCP packets to control access to theless-restricted and restricted subnets, and/or which endpoint addressescan bypass some or all assessments.

In some embodiments, reserved DHCP option parameters are used to conveyconfiguration information, such as that discussed above, between a DHCPserver and network filter. The conveyed configuration information may berelating to restricted and less-restricted subnets and may includeACCESS CRITERIA. In some embodiments, the DHCP option parameters used toconvey this configuration information are included in DHCPOFFER packets.In these embodiments, the network filter monitors DHCPOFFER packets andwhen it finds one addressed to an endpoint which has not met assessmentrequirements and which contains the reserved DHCP option(s) indicatingthe endpoint is subject to assessment, the network filter extracts andsaves the endpoint MAC, Relay IP address, and other ACCESS CRITERIA,then blocks (e.g., prevents communication of) the DHCPOFFER packet. Whenthe network filter receives a subsequent DHCPDISCOVER packet whichcontains the same MAC address and Relay IP address that was previouslysaved, it modifies the DHCPDISCOVER packet to obtain the less-restrictedsubnet (e.g. modifies the relay IP address or adds an option dependingon the ACCESS CRITERIA) if the endpoint has still not met the auditrequirements. This causes the DHCP server to assign the less-restrictedsubnet to the endpoint. If the endpoint meets the assessmentrequirements at a later time, the network filter lets the DHCPDISCOVERpacket and the DHCPOFFER packet pass through without these alterations.To ensure that the DHCP server will provide the DHCP options containingthe ACCESS CRITERIA in the DHCPOFFER, the network filter inserts arequest for reserved DHCP options into all received DHCPDISCOVERpackets.

BRIEF DESCRIPTION OF THE VARIOUS VIEWS OF THE DRAWINGS

FIG. 1 is a block diagram of a protected network according to variousembodiments of the invention;

FIG. 2 is a block diagram of a DHCP server according to variousembodiments of the invention;

FIG. 3 is block diagram of a network gatekeeper according to variousembodiments of the invention;

FIG. 4 illustrates a method of granting access to a secure subnetaccording to various embodiments of the invention; and

FIG. 5 illustrates an alternative method of granting access to a securesubnet according to various embodiments of the invention.

DETAILED DESCRIPTION

FIG. 1 is a block diagram of a Protected Network 100, according tovarious embodiments of the invention. Protected Network 100 is eitherphysically or logically divided into a Less-Restricted Subset 105 and aRestricted Subset 110. Access to Protected Network 100 is possiblethrough an optional Access Point 132 and a DHCP relay such as a Router120. As is described further herein, this access is under the control ofa GateKeeper 125. GateKeeper 125 is configured to enforce a securitypolicy against one or more Endpoint 130 requesting access to RestrictedSubset 110. Typically, Restricted Subset 110 and Less-Restricted Subset105 are characterized by an access control list ACL 170 within Router120. Endpoint 130, Access Point 132 and Router 120 are connected bycommunication channels such as a cable, a local area network, theInternet, a telephone network, other computing network, and/or the like.In some embodiments, Access Point 132 is a network access server, aswitch, a wireless access point, a virtual private network interface, ahub, a router, or the like.

In various embodiments, Protected Network 100 includes a commercialnetwork, corporate network, telephone network, private network, localarea network, wide area network, wireless network, communicationnetwork, government network, university network, and/or the like.Less-Restricted Subset 105 is optionally a subset of Protected Network100 including at least GateKeeper 125. Less-Restricted Subset 105further includes a DHCP Server (dynamic host configuration protocolserver) 160 configured to manage and assign network addresses toEndpoint 130. In some embodiments, Less-Restricted Subset 105 furtherincludes an Update Module 155 configured for providing security updatesto an agent on Endpoint 130. For example, in one embodiment,Less-Restricted Subset 105 includes a first server configured tofunction as DHCP Server 160 and a second server configured to functionas GateKeeper 125. In one embodiment, Less-Restricted Subset 105includes a single computing device configured to function as both UpdateModule 155 and GateKeeper 125.

Restricted Subset 110 includes those elements of Protected Network 100not included in Less-Restricted Subset 105. Restricted Subset 110optionally includes devices such as a File Server 135, a Network PC 140,a Printer 145, or the like. In some embodiments, Protected Network 100includes elements having a hierarchy of access restrictions. Forexample, access to Network PC 140 may require a higher level ofauthority than access to File Server 135. In this case, as describedfurther herein, access control lists within Router 120 are used toindependently control access to specific devices within RestrictedSubset 110. Protected Network 100 may be large, including tens,hundreds, or thousands of devices. In various embodiments, Router 120may be considered part of Less-Restricted Subset 105 or RestrictedSubset 110.

GateKeeper 125 is configured to apply a security assessment to aninstance of Endpoint 130 before allowing access to Restricted Subset110. The security assessment may include requirements for useridentification such as user names and passwords, configurationrequirements relating to the configuration of Endpoint 130, applicationrequirements relating to applications running on Endpoint 130, or thelike. For example, in one embodiment GateKeeper 125 is configured torequire a user of Endpoint 130 to provide a username and password,require. Endpoint 130 to be running an operating system with specificsecurity patches, require that Endpoint 130 not be connected to anyinsecure devices, and/or require that Endpoint 130 have currentantivirus software installed.

In some embodiments, GateKeeper 125 is configured to assess compliancewith several alternative access configurations having different levelsof requirements, and to determine which configuration to provide basedon the identity of Endpoint 130, the identity of a user of Endpoint 130,those elements of Restricted Subset 110 to which access is requested,and/or the like. For example, a request to access File Server 135 mayhave to satisfy a configuration assessment that includes scanningEndpoint 130 for malicious code, while a request to access Printer 145may have to satisfy an assessment that includes establishing a useridentity. Assessments may be performed by scanning endpoints, makingremote calls on endpoints, or by communicating to an agent running onthe endpoint through the Less-Restricted Subset 105.

In some embodiments, a single instance of GateKeeper 125 is configuredto assess multiple endpoints residing on more than one Access Point 132,traversing through more than one Router 120 and/or accessing more thanone Protected Network 100. As is described further herein, access toRestricted Subnet 110 is controlled, in part, by setting access controllists within Router 120. In some embodiments, Protected Network 100includes a plurality of Router 120, a plurality of Access Points 132, aplurality of GateKeeper 125 and/or a plurality of Less-Restricted Subset105. Further details of GateKeeper 125 and Router 120 are discussedelsewhere herein.

Endpoint 130 is a computing device configured to operate as an end point(EP) in a communication channel including Router 120, Access Point 132,and Endpoint 130. In various embodiments, Endpoint 130 is a personalcomputer, a personal digital assistant, a telephone, a wireless device,a communication device such as another router, an Ethernet card, awireless card, another access point, a network device, a terminal, orthe like. Endpoint 130 is identified by a MAC address, and optionally bya cookie, by data stored on Endpoint 130, by a user name, an IP address,a network address, or the like.

In typical embodiments, Endpoint 130 is configured to execute a softwareand/or hardware agent for communicating with GateKeeper 125, and to makerequests for new IP addresses following an assessment or responsive toan event related to security. For example, in one embodiment, Endpoint130 includes an agent configured to monitor code running on Endpoint 130and report any suspicious code to GateKeeper 125. In another example,Endpoint 130 may include software and/or hardware configured to monitorother devices connected to Endpoint 130 and to report information aboutthese devices (e.g., their security statuses or MAC addresses) toGateKeeper 125. In another example, Gatekeeper may scan Endpoint 130independently of whether an agent is running on Endpoint 130.

Policy Manager 150 is configured to centrally create, update, anddistribute security policies enforced by one or more GateKeeper 125. Forexample, in various embodiments, Policy Manager 150 is configured tomanage passwords, to specify access privileges, to specify requirementsof security policies, or the like. In some embodiments, Policy Manager150 is configured to establish several security policies and to specifyconditions under which each of the security policies should be used. Forexample, a security policy may be selected for use responsive to adevice type of Endpoint 130 and/or the elements of Protected Network 100to which access has been requested.

Optional Update Module 155 is configured for remotely modifying Endpoint130, or a device connected to Endpoint 130, in order to improvecompliance with a security policy. For example, if it is found thatEndpoint 130 includes out-of-date antivirus software, then Update Module155 may facilitate updating of the antivirus software on Endpoint 130.In some embodiments, Update Module 155 is configured to update an agentexecuting on Endpoint 130. Update Module 155 is optionally included inRestricted Subset 110 or external to Protected Network 100. UpdateModule 155 optionally operates responsive to a security policy and/or toGateKeeper 125.

FIG. 2 is a block diagram of DHCP Server 160 according to variousembodiments of the invention. DHCP Server 160 includes an optionalNetwork Filter 230, and Input/Output 240, and DHCP Server Software 210including an Address Allocation Table 220 and Computing Instructions250. Address Allocation Table 220 includes a table of scopes, whose IPaddress ranges may be assigned to Endpoint 130. In various embodiments,DHCP Server Software 210 may include hardware or firmware in additionto, or instead of, software. DHCP Server Software 210 is optionallyoperative independently from Network Filter 230 for the provision ofDHCP services. Thus, in some embodiments, DHCP Server Software 210 andNetwork Filter 230 are separate (e.g., distinct or independent) systems.In some embodiments, DHCP Server Software 210 and Network Filter 230 areinstalled on different hardware devices.

In general, there are at least two classes of scopes, those whose IPaddresses may be assigned to an instance of Endpoint 130 that has passedan assessment and those whose IP addresses are assigned to instances ofEndpoint 130 that has not yet passed an assessment. These scopes arereferred to as restricted and less-restricted scopes, respectively. Insome embodiments, for each restricted scope that requires assessment, atleast one less-restricted scope is defined. The IP addresses within theless-restricted scope includes addresses that, as specified by ACL 170of Router 120, may communicate with devices on the less-restrictedsubnet, e.g., the Less-Restricted Subset 105, but not devices on therestricted subnet. Likewise, the IP address within the restricted scopeincludes address that, as specified by ACL 170 may communicate withdevices on the restricted subnet, e.g., the Restricted Subset 110, andoptionally also on less-restricted subnet.

Network Filter 230 is optionally included on the same computing deviceas DHCP Server Software 210, and can run within the same process as DHCPServer Software 210 or as part of a network protocol stack. NetworkFilter 230 is configured to manipulate DHCPDISCOVER packets responsiveto assessment results received from GateKeeper 125, if the DHCPDISCOVERpackets meet certain CONTROL CRITERIA. The CONTROL CRITERIA defines, forexample, (i) the DHCP option parameters and values in DHCPDISCOVERpackets that indicate whether the corresponding endpoint (e.g., Endpoint130) needs a security assessment, and (ii) the configuration informationrequired to select the restricted or less-restricted subnets responsiveto the assessment. The CONTROL CRITERIA may specify that the presence orabsence of one or more specific parameters in the DHCP options within aDHCPDISCOVER packet indicate an assessment should take place. Thesespecific parameters can then be used to determine whether an instance ofEndpoint 130 needs a security assessment. In some embodiments, these oneor more parameters include a relay IP address that is either within ornot within specified ranges or lists of IP addresses. In someembodiments, these one or more parameters include a hardware addressthat is either within or not within specified ranges or lists ofhardware addresses. Typically, Network Filter 230 obtains the ranges,lists, fields and instructions in the CONTROL CRITERIA by extracting theinformation from a configuration file or, as described further herein,in a communication from the DHCP server. Network Filter 230 may includefirmware, hardware and/or software.

In some embodiments, the scopes within Address Allocation Table 220 areassociated with the presence, absence, or value of one or more DHCPoption parameters. In these embodiments, DHCP option parameters may bereceived by DHCP Server 160 as part of the contents of DHCPDISCOVERpackets. In these cases, Computing Instructions 250 are configured toselect an IP address (for inclusion in a DHCPOFFER packet) from addressrange within the restricted subnet if a DHCP option parameter associatedwith the restricted subnet is present in the DHCPDISCOVER packet.Otherwise, an IP address from the address range within theless-restricted subnet is selected. Computing Instructions 250 areconfigured to process DHCP packets and may include firmware, hardwareand/or software.

In some embodiments, Network Filter 230 is configured to updateDHCPDISCOVER packets meeting the CONTROL CRITERIA with certaincombinations of DHCP option parameters responsive to the extent to whichEndpoint 130 has satisfied the requirements of one or more assessment.As a consequence of this modification of the DHCPDISCOVER packets, DHCPServer 160 will assign an IP address in a resulting DHCPOFFER packetfrom the scope associated with a restricted subnet if Endpoint 130 hassatisfied the assessment requirements. This IP address will allowEndpoint 130 to access Restricted Subset 110 via Router 120 as specifiedby ACL 170. If the address of Endpoint 130 has not met the assessmentrequirements, then Network Filter 230 will typically assure that theDHCP option parameters in the DHCPDISCOVER packet are associated withone of the less-restricted subnets. In this case, Computing Instructions250 will generate a DHCPOFFER packet including an IP address from theaddress range associated with the less-restricted subnet.

In alternative embodiments, Network Filter 230 is configured tomanipulate the relay IP addresses in DHCPDISCOVER packets that meet theCONTROL CRITERIA responsive to the extent to which Endpoint 130 hassatisfied assessment requirements. In these embodiments, Network Filter230 will first examine an incoming DHCPDISCOVER packet to see if thepacket comes from an instance of Endpoint 130 that has satisfied theassessment requirements. If the requirements have been met, NetworkFilter 230 will record the current relay IP address, then update therelay IP field of the DHCPDISCOVER packet with a new relay IP addresssuch that Computing Instructions 250 will select a scope from AddressAllocation Table 220 so that the offered IP address in a DHCPOFFERpacket is associated with the less-restricted subnet. The original relayIP address, which was previously saved by Network Filter 230, isinserted in the DHCPOFFER packet resulting from the updated DHCPDISCOVERpacket, such that the DHCPOFFER packet will be directed to the originalEndpoint 130 via Router 120. For example, after the relay IP address ischanged in the DHCPDISCOVER packet, the resulting DHCPOFFER packet willbe addressed to the modified relay IP address. Therefore, Network Filter230 is configured to replace the modified relay IP address in theoutgoing resulting DHCPOFFER packet with the original IP address inorder to redirect the packet back to the original IP address.

In some embodiments, Network Filter 230 reads CONTROL CRITERIA from theDHCPOFFER packet sent by Computing Instructions 250 responsive to theDHCPDISCOVER packet. Using DHCPOFFER packets to convey restricted andless-restricted subnet configuration information between AddressAllocation Table 220 and Network Filter 230 means that Network Filter230 does not need to store this information permanently, nor does anadministrator need to configure Network Filter 230 separately from otherparts of DHCP Server 160 when updating network configurations orsecurity requirements. This method permits changing the CONTROL CRITERIAfrom the DHCP server without requiring any changes to Network Filter230. To communicate CONTROL CRITERIA to Network Filter 230,administrators place the information into the DHCP option parametersdefined in the DHCP server's scopes, typically corresponding to thoserestricted subnets that must meet assessment requirements. The CONTROLCRITERIA placed into the DHCP option configurations in the scopes mayinclude relay IP addresses used by the less-restricted scopes, anindication that the restricted scope has a corresponding less-restrictedscope, and other parameters. When the incoming DHCPDISCOVER packet isreceived, the Network Filter 230 inserts a request for the DHCP optionsassociated with the CONTROL CRITERIA into the packet, and the ComputingInstructions 250 will convey the CONTROL CRITERIA by adding therequested DHCP option parameters in the resulting DHCPOFFER packet. Ifthe CONTROL CRITERIA indicates that the DHCPDISCOVER packet was receivedfrom an Endpoint 130 that has not met the requirements of an assessment,Network Filter 230 stores the identity (e.g. MAC address or the like)and CONTROL CONFIGURATION for Endpoint 130 into a list, and blocks theDHCPOFFER packet from being transmitted further. Endpoint 130 willtypically retry sending the DHCPDISCOVER packet because the previousDHCPOFFER packet was blocked. When Network Filter 230 receives thesubsequent DHCPDISCOVER packet from Endpoint 130, Network Filter 230will use the previously saved CONTROL CRITERIA to modify the subsequentDHCPDISCOVER packet so as to place Endpoint 130 on the restricted orless-restricted subnet, in accordance with its compliance to theassessment requirements.

Input/Output 240 is configured to receive DHCPDISCOVER packets fromEndpoint 130 and to communicate back DHCPOFFER packets. For example, invarious embodiments, Input/Output 240 is a network interface card, acommunication port, an Ethernet port, or other connection point betweenDHCP Server 160 and a network external to DHCP. Server 160. In someembodiments, Network Filter 230 is logically disposed (e.g., part of thecommunication path) between Input/Output 240 and Computing Instructions250.

An instance of Endpoint 130 that has access to Less-Restricted Subset105 but not Restricted Subset 110 may optionally undergo an assessmentusing GateKeeper 125 in order to gain access to all or part ofRestricted Subset 110. If the requirements of the assessment aresatisfied then the MAC address of Endpoint 130 is added to the list ofMAC addresses associated with devices that have passed the assessment.Endpoint 130 may then request a new IP address from DHCP Server 160 andreceive a new IP address within the restricted subnet that, responsiveto ACL 170, will allow communication with elements of Restricted Subset110. In some embodiments, an agent running on Endpoint 130 andcommunication with GateKeeper 125 is configured to make the request fora new IP address.

FIG. 3 is block diagram of GateKeeper 125, according to variousembodiments of the invention. GateKeeper 125 includes one or moresecurity policies, such as Security Policy 310 and Security Policy 320,a Policy Auditor and an Access Control 340.

Access Control 340 is configured to manage storage of the list of MACaddresses are associated with devices that have passes the requirementsof Security Policies 310 or 320. This list may be stored on DHCP Server160 or GateKeeper 125. Access Control 340 is responsive to PolicyAuditor 330 included in GateKeeper 225. Policy Auditor 330 is configuredto receive a request for access to Restricted Subset 110 from Endpoint130, to determine which of Security Policy 31 or optional SecurityPolicy 32 applies to the current request, to perform a assessment ofEndpoint 130 based on the appropriate member of Security Policies 310and 320, and to notify Access Control 340 if the assessment is passedand that the MAC address of Endpoint 130 may be added to the MAC addresslist. Access Control 340 adds the MAC address to the MAC address list.

FIG. 4 illustrates a method of granting access to a secure subnetaccording to various embodiments of the invention. In these embodiments,Network Filter 230 receives a DHCPDISCOVER packet from Endpoint 130 viaRouter 120 in a Receive Discovery Packet Step 410. The receivedDHCPDISCOVER packet includes the MAC address of Endpoint 130 and a relayIP address, a segment of which is typically associated with Router 120.Router 120 includes ACL 170 characterizing Less-Restricted Subset 105and Restricted Subset 110.

In a Check MAC Address Step 420, Network Filter 230 determines if theMAC address included in the DHCPDISCOVER packet received in ReceiveDiscovery Packet Step 410 is included in the list of MAC addressesassociated with devices qualified to access Restricted Subset 110 ofProtected Network 100.

In an Alter Option Parameter Step 430, Network Filter 230 alters a DHCPoption parameter of the received DHCPDISCOVER packet responsive towhether the MAC Address received in Receive Discovery Packet Step 410 isincluded in the list of MAC addresses associated with devices qualifiedto access Restricted Subset 110. The altered DHCP option parameter isconfigure for controlling whether Computing Instructions 250 will offeran IP address within the less-restricted subnet and associated withLess-Restricted Subset 105, or an IP address within the restrictedsubnet and associated with Restricted Subset 110.

In a Pass Altered Discovery Packet Step 440, Network Filter 230 passesthe altered DHCPDISCOVER packet to Computing Instructions 250 of DHCPServer 160. DHCP Server 160 is configured to respond to the alteredDHCPDISCOVER packet with an IP address within the restricted subnet orthe less-restricted subnet responsive to the altered option parameter.Whether the IP address is within the restricted subnet or theless-restricted subnet will determine the ability of Endpoint 130 toaccess the Less-Restricted Subset 105 or Restricted Subset 110 asdetermined by ACL 170. For example, an IP address within theless-restricted subnet will result in access to Less-Restricted Subset105 but not Restricted Subset 110. Using this IP address, Endpoint 130will be able to access Less-Restricted Subset 105 but notLess-restricted subset 100, due to the configuration of ACL 170.

If Endpoint 130 is provided with an IP address that does not allowaccess to Restricted Subset 110, Endpoint 130 may request an assessmentfrom GateKeeper 125. In response to this request, GateKeeper 125 mayperform an assessment in an optional Perform Audit Step 450. If thisassessment is successful, an agent on Endpoint 130 may cause Steps 410through 440 to be repeated in order to receive an IP address that doesallow access to Restricted Subset 110 via Router 120.

FIG. 5 illustrates an alternative method of granting access toRestricted Subset 110 according to various embodiments of the invention.In these embodiments, a relay IP address associated with Router 120 ismodified to determine which IP address DHCP Server 160 will include in aDHCPOFFER packet, and thereby to determine the access privileges thatEndpoint 130 will have.

In a Receive First Discover Packet Step 510, a first DHCPDISCOVER packetis received by Network Filter 230 via Router 120 from Endpoint 130. TheDHCPDISCOVER packet typically includes the MAC address of Endpoint 130and a relay IP address associated, in part, with Router 120. Router 120is associated with at least a first relay IP address associated with arestricted subnet and a second relay IP address associated with aless-restricted subnet.

In a Receive First DHCPOFFER Step 520 a first DHCPOFFER packet,responsive to the first DHCPDISCOVER packet, is received by NetworkFilter 230. The DHCPOFFER packet includes the MAC address of Endpoint130 and information (e.g., ACCESS CRITERIA) regarding the securitystatus associated with that MAC address. This information is placed inthe DHCPOFFER packet by Computing Instructions 250 may be in the form ofa DHCP option or any other data within the DHCPOFFER packet.

In a Store IP Addresses Step 530 the information, regarding securitystatus received in Receive First DHCPOFFER Step 530 is stored by NetworkFilter 230 in association with the MAC address of Endpoint 130. Thisstorage is optionally local to Network Filter 230

In a Drop First DHCPOFFER Step 540, the DHCPOFFER packet received inReceive First DHCPOFFER Step 520 is dropped (e.g., terminated and notforwarded).

Receive First Discover Packet Step 510 through Drop First DHCPOFFER Step540 are used to convey the security status associated with a MACaddress, and/or optionally other configuration information, to NetworkFilter 230. In alternative embodiments, this information may be conveyedthrough other means. For example, via a table accessible to both AccessControl 340 and Network Filter 230. These steps are therefore optional.

In a Receive Second Discover Packet Step 550 a second DHCPDISCOVERpacket is receive at Network Filter 230 from Endpoint 130. The secondDHCPDISCOVER packet is optionally identified as being a second requestfrom the same source as the request received in Receive First DiscoverPacket 510 because it includes the same MAC address of Endpoint 130.

In a Determine Access Privilege Step 560 Network Filter 230 determinesif the MAC address of Endpoint 130 is included in the list of MACaddresses of devices qualified to access Restricted Subset 10 ofProtected Network 100.

In an Alter Second Discover Packet Step 570 the received secondDHCPDISCOVER packet is altered by changing the relay IP address of thesecond DHCPDISCOVER packet such that it reflects a relay IP addressassociated with restricted subnet of Router 120, if the MAC address ofEndpoint 130 is included in the list of MAC addresses of devicesqualified to access Restricted Subset 110. Alternatively, if the MACaddress of Endpoint 130 is not included in this list of MAC addresses,then the relay IP address of the second DHCPDISCOVER packet is changedto reflect a relay IP address associated with the less-restrictedsubnet. The associations between relay IP addresses and the restrictedsubnet and less-restricted subnet are reflected in the configuration ofRouter 120 as well as Address Allocation Table 220. The associationsbetween relay IP addresses and the restricted subnet and less-restrictedsubnet are optionally conveyed to Network Filter 230 via Steps 510through 540 of FIG. 5.

Network Filter 230 passes the DHCPDISCOVER packet to ComputingInstructions 250. Computing Instructions 250 are configured to select anIP address, for inclusion in an DHCPOFFER packet, from AddressAllocation Table 220 responsive to the relay IP address altered in AlterSecond Discover Packet Step 570. If the altered relay IP address isassociated with the restricted subnet then the retrieved IP address willbe within the scope of the restricted subnet. If the altered relay IPaddress is associated with the less-restricted subnet then the retrievedIP address will be within the scope of the less-restricted subnet.

In a Pass Altered DHCPOFFER Step 580, the DHCPOFFER packet prepared byComputing Instructions 250 is received by Network Filter 230. Ifnecessary, the relay IP address within the DHCPOFFER packet is replacedby the original relay IP address, such that the DHCPOFFER packet may bedirected back to Endpoint 130 via Router 120. This altered DHCPOFFERpacket is then passed on by Network Filter 230 for delivery to Endpoint130.

Several embodiments are specifically illustrated and/or describedherein. However, it will be appreciated that modifications andvariations are covered by the above teachings and within the scope ofthe appended claims without departing from the spirit and intended scopethereof. For example, the methods described herein may be used to cancelaccess to a restricted network if an endpoint fails a subsequentsecurity assessment. Further, steps 510 through 540 of FIG. 5 areoptionally followed by the methods of FIG. 4, rather than steps 550through 580 of FIG. 5. Further, the systems and methods discussed hereinare optionally embodied in the form of computing instructions stored oncomputer readable media. These computing instructions may be dividedinto code segments configured to perform method steps.

The embodiments discussed herein are illustrative of the presentinvention. As these embodiments of the present invention are describedwith reference to illustrations, various modifications or adaptations ofthe methods and or specific structures described may become apparent tothose skilled in the art. All such modifications, adaptations, orvariations that rely upon the teachings of the present invention, andthrough which these teachings have advanced the art, are considered tobe within the spirit and scope of the present invention. Hence, thesedescriptions and drawings should not be considered in a limiting sense,as it is understood that the present invention is in no way limited toonly the embodiments illustrated.

1. A method of controlling access to a protected network, the methodcomprising: receiving a DHCPDISCOVER packet at an input of a DHCP servervia a router from an endpoint having an address, the router including anaccess control list characterizing a restricted subnet and aless-restricted subnet of the protected network; determining if theaddress within the DHCPDISCOVER packet received at the input is includedin a list of addresses qualified to access the restricted subnet of theprotected network; altering the DHCPDISCOVER packet received at theinput responsive to whether the address is included in the list ofaddresses qualified to access the restricted subnet; passing the alteredDHCPDISCOVER packet to computing instructions included in the DHCPserver, the computing instructions configured to generate a DHCPOFFERpacket; generating the DHCPOFFER packet responsive to the alteration ofthe DHCPDISCOVER packet, the DHCPOFFER packet including an IP addressassociated with the restricted subnet if the address is included in thelist of addresses qualified to access the restricted subset, theDHCPOFFER packet including an IP address associated with theless-restricted subnet if the address is not in the list of addressesqualified to access the restricted subset, the IP address associatedwith the restricted subnet having access to the restricted subsetresponsive to the access control list.
 2. The method of claim 1, furtherincluding adding the address to the list of addresses qualified toaccess the restricted subnet responsive to an assessment performed usinga gatekeeper, the gatekeeper being a member of the less-restrictedsubnet.
 3. The method of claim 1, wherein the address is a MAC address.4. A method of controlling access to a protected network, the methodcomprising: receiving a first DHCPDISCOVER packet at a network filterfrom an endpoint having an address, the first DHCPDISCOVER packetincluding a first relay IP address; determining if the address of theendpoint is included in a list of addresses qualified to access arestricted subnet of the protected network; altering the received firstDHCPDISCOVER packet by replacing a first relay IP address with a secondrelay IP address if the address is qualified to access the restrictedsubset; and passing the altered first DHCP DISCOVER packet to computinginstructions of a DHCP server such that the DHCP server will respond tothe DHCPDISCOVER packet including the second relay IP address with an IPaddress that will allow access to the restricted subset responsive to anaccess control list, the IP address being within a scope associated witha restricted subnet.
 5. The method of claim 4, further includingreceiving a second DHCPDISCOVER packet at the network filter from theendpoint, the second DHCPDISCOVER packet being received prior toreceiving the first DHCPDISCOVER packet; receiving a DHCPOFFER packet atthe network filter responsive to the second DHCPDISCOVER packet, theDHCPOFFER packet including configuration information regarding an IPaddress associated with a less-restricted scope; storing the address ofthe endpoint in association with the configuration information in alocation accessible to the network filter; and dropping the secondDHCPOFFER packet
 6. The method of claim 4, further including receiving aDHCPOFFER packet in response to the first DHCPDISCOVER packet; andreplacing an instance of the second relay IP address in the receivedDHCPOFFER packet with an instance of the first relay IP address.